DEFCON Qual CTF 2024 - PWN - suscall challenge
( بِسْمِ اللَّـهِ الرَّحْمَـٰنِ الرَّحِيمِ )
(إن أحسنت فمن الله، وإن أسأت فمن نفسي والشيطان)
Solving "suscall" challenge from DEFCON Qual 2024. (challenge solved after the CTF)
The first thing is reversing it with Ghidra and after some static and dynamic analysis we can see that
if we check the stack we can find the allocation and this addr [0x4040c8] is pointing to the print function which is in [0x4012e9].
- The first issue is the "exit" function which will exit after detection or printing that there is a sus file so how can we bypass it? if we can overwrite the address of exit it will solve our issue.
- after understanding the binary more the struct which create in the first contain the address which will start write into it so if we can write the "exit@got" address in the ptr of this struct whatever we send after it will be stored in this new location
- our idea now is to writing the "exit@got" into [0x4064a0] and we will send what we wanna to replace with "exit" function we can use a "ret" instruction.
- The second issue is how we can get the libc address to calculate the address of system function.
- to solve this a teammate overwrite the print function with printf to add another vulnerability to the binary which is FormatString to leak the libc and do the same when we get the system function.
note that offset "0x2308+8" is ptr that we will add where we wanna write the next input so we will add padding "0x2308+our_addr".
So our script will do the following
- will overwrite the "exit@got" with "ret" instruction and we will be in the top of the custom_heap so we do not wanna to corrupt it so we will add the read function again after padding offset "0x18".
- we will replace the print function with "printf" to make it vulnerable to FMT and leak the libc addr.
- calculate the system function.
- overwrite the "printf" function with the system function and send a new file with our payload "sus;sh;" so the "system" function will be called with it and we get a shell.
The final script is in Github.
Special thanks to my teammates (specially @pipironii) without them I could not have solved this challenge or any other challenge in this CTF.
Comments
Post a Comment